Not only that, but for new people, magic_quote_gpc = On
For those not familiar with php, this will escape single quotes in GET/POST/COOKIE data. Helps protect the unfamiliar from things like SQL injection attacks. Once you know what you are doing they can be a bit of a pain in the ass, but for new people, it can help make your code a bit safer.
Switch the damn thing off. It\'s a bloody annoying hack which may (or may not be) switched on for a particular web host, meaning that for security reasons your code has to check whether it's switched on or off, and massage data accordingly.:-)
I\'ve got two functions which automatically strip incoming data of any added escaping, because with my form validation stuff the text may either go into an SQL query or back into the form again, with missing fields highlighted. Text might have come out of the database sans escaping, for editing purposes, and I don't want to have to write my forms code to treat data differently depending on its source. If everything\'s plain, unescaped text, it makes things so much simpler...
A couple of simple rules - firstly, when creating a database query, always (integer )$record_id or '".mysql_escape_string( $input_string )."' all variables in your queries, having previously checked them for sanity.
Secondly, keep as much code as possible in defined functions, out of the scope of register_globals idiocy. Yes, it can be switched off, but always assume that it's switched on, and is your enemy. Plus, it's a lot easier to track incoming data in your code when it's all defined at the beginning...
register_globals = off (Score:5, Informative)
Re:register_globals = off (Score:2, Informative)
magic_quote_gpc = On
For those not familiar with php, this will escape single quotes in GET/POST/COOKIE data. Helps protect the unfamiliar from things like SQL injection attacks. Once you know what you are doing they can be a bit of a pain in the ass, but for new people, it can help make your code a bit safer.
Re:register_globals = off (Score:5, Funny)
Switch the damn thing off. It\'s a bloody annoying hack which may (or may not be) switched on for a particular web host, meaning that for security reasons your code has to check whether it's switched on or off, and massage data accordingly.
I\'ve got two functions which automatically strip incoming data of any added escaping, because with my form validation stuff the text may either go into an SQL query or back into the form again, with missing fields highlighted. Text might have come out of the database sans escaping, for editing purposes, and I don't want to have to write my forms code to treat data differently depending on its source. If everything\'s plain, unescaped text, it makes things so much simpler...
A couple of simple rules - firstly, when creating a database query, always (integer )$record_id or '".mysql_escape_string( $input_string )."' all variables in your queries, having previously checked them for sanity.
Secondly, keep as much code as possible in defined functions, out of the scope of register_globals idiocy. Yes, it can be switched off, but always assume that it's switched on, and is your enemy. Plus, it's a lot easier to track incoming data in your code when it's all defined at the beginning...
page_record_input( ACTION_EDIT, array_unescape( $_POST['input_record'] ), (integer )$_GET['record_id'] );
And lastly, always assume that your users are out to get you. Validate all data, and assume everything and everyone is hostile.
Re:register_globals = off (Score:1)
Apart from that validate thing, you'd make a good POTUS.